Bug#1070851: glib2.0: minor memory leak after fixing CVE-2024-34397
Simon McVittie
smcv at debian.org
Fri May 10 14:40:48 BST 2024
Source: glib2.0
Version: 2.74.6-2+deb12u1
Severity: minor
Tags: patch fixed-upstream
X-Debbugs-Cc: security at debian.org
Control: found -1 2.79.0+git20240110~g38f5ba3c-1
Control: found -1 2.66.8-1+deb11u2
Control: fixed -1 2.80.2-1
While applying the CVE-2024-34397 fixes to glib2.0 in (old)stable,
I backported an upstream bug fix from GLib 2.79.x to fix a possible
use-after-free, which had gone undetected in older versions, but caused
intermittent failures in the new test coverage that I added to reproduce
CVE-2024-34397.
It turns out that this bug fix is not 100% correct, and causes a rare
memory leak: if a program replaces a non-NULL message body with a different
non-NULL message body, the first argument of the old message body is leaked.
This has now been fixed upstream and will be in 2.80.3, and I backported
the fix in 2.80.2-1 (uploaded to unstable today).
My current understanding is that this will not affect
typical applications, and only applications that call
g_dbus_connection_add_filter() and use it to edit incoming or outgoing
messages in-place will normally be affected. This is not a common pattern,
and the only real-world use I'm aware of is that stretch's gdm3 had a hack
that used this to work around an incompatibility between jessie and stretch
versions' D-Bus APIs during upgrade.
This is technically a regression in a security update, so I'm cc'ing
the security team, but I imagine they will not want to update the DSA
for this. My inclination is to wait for a few days to see whether
there are any other regressions; if yes, take the opportunity to
fix this leak at the same time; and otherwise, propose an upload to
(old)stable-proposed-updates fixing the memory leak.
smcv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-gdbusmessage-Clean-the-cached-arg0-when-setting-the-.patch
Type: text/x-diff
Size: 1485 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20240510/0a4af4b5/attachment-0001.patch>
More information about the pkg-gnome-maintainers
mailing list